By Ian Thomas on January 18, 2022

Ransomware Gangs: Netwalker

Netwalker is a notorious name on the ransomware scene with a prolific record of successful attacks. An estimated $25 million in ransom extortions between March and September 2020 established the gang as a force to be reckoned with. This article looks at Netwalker's operations, the specifics of the ransomware variant, and some high-profile attacks carried out using Netwalker ransomware.


Netwalker: Operations and Ransomware Analysis

Like many modern money-motivated ransomware gangs, Netwalker extended its reach (and profits) by running a ransomware-as-a-service operation. Advertisements for criminal affiliates to use Netwalker’s ransomware emphasized the importance of experience with infiltrating complex IT networks. The ability to speak Russian is another notable requirement to become a Netwalker affiliate.

Netwalker’s members use double extortion tactics to increase pressure on victims by threatening to publish their data online if they don’t meet ransom demands. When recruiting new affiliates, dark web advertisements have indicated a preference for threat actors who already have a foothold inside corporate networks. This foothold makes data exfiltration (and by extension double extortion) more likely.

Netwalker threat actors typically establish initial network access by running phishing and spear-phishing campaigns. A VBS script attached to these emails establishes an initial foothold into the infected machine. Then, the ransomware replaces legitimate processes with the malicious payload, which enables it to lurk inside systems and networks and easily evade detection by both users and anti-virus tools. 

Like several other ransomware variants, Netwalker deletes Volume Shadow copies of files so that victims can’t restore encrypted files from those copies. Interestingly, a batch script created after encryption attempts to delete samples of the ransomware from local machines in a definite effort to evade analysis by security researchers.

Ransom notes left on victim computers instruct them to contact the gang via the Tor web browser using a victim-specific code. After paying the proposed ransom by Bitcoin, victims are able to download a decryption tool that removes the Salsa20 encryption cipher used by Netwalker. 

Netwalker Attacks


University of California – San Francisco

In June 2020, Netwalker successfully attacked the University of California San Francisco (UCSF). The university is a global leader in biological and medical research with both a medical school and a medical center. The June 2020 attack encrypted several UCSF servers, which contained important data related to academic research.

This was a particularly high-profile incident not just due to the victim in question but also because the UK’s BBC News managed to follow the ransom negotiations live on the dark web. The university countered an initial demand for $3 million with an offer of $780,000, which Netwalker threat actors denigrated as “a very small amount for us.” Eventually, UCSF negotiators transferred $1.14 million in Bitcoin to Netwalker in return for a decryption tool.


Toll Group

Toll Group is an Australian transportation and logistics company with reported revenue totaling $7.8 billion dollars in 2020. In February of the same year, Toll Group became one of the earliest known victims of Netwalker ransomware. The incident caused delays and disruptions to the organization’s operations.

This attack occurred just before Netwalker switched to a RaaS operation from its previous, smaller-scale model. Luckily for Toll Group, data exfiltration wasn’t prioritized by Netwalker members at the time, so no sensitive data was lost or stolen.

Reports suggested the Netwalker ransomware variant spread to over 1,000 Toll Group servers. In another blow to the company, Nefilim ransomware infiltrated its network just a few months later. Two network compromises in such a short space of time point to ineffective cybersecurity practices and solutions. Nine months after the initial Netwalker attack, a company spokesperson indicated Toll Group was still dealing with the fallout from both ransomware incidents.



K-Electric is an electric supply company in Pakistan with over 10,000 employees. Established in 1913, K-Electric is Pakistan’s largest private sector power supply company. In September 2020, Netwalker threat actors executed the gang’s variant on K-Electric’s IT network, which disrupted billing services for customers. The ransom message demanded $3.8 million in Bitcoin with a threat to increase to $7.7 million if K-Electric executives didn’t pay up.

A statement given by K-Electric to BleepingComputer following the incident outlined that customer data remained intact and secure. This seemed to conflict with a message on Netwalker’s dark web leak site that alluded to stolen unencrypted files from K-Electric’s network. Sure enough, after K-Electric refused to pay up, Netwalker released 8.5 gigabytes of stolen data financial data, customer information, and engineering reports.

This attack served as a stark reminder that ransomware gangs aren’t bluffing when they threaten to publish stolen sensitive data online. The lack of transparency from K-Electric about exfiltrated data was also concerning. There is a chance that the company didn’t know copies of sensitive files were taken from the network, but the message communicated seemed definitive in concluding that customer data remained secure.


Weiz, Austria

A May 2020 attack on the municipality of Weiz in Austria exemplified the diverse set of targets within the sights of Netwalker threat actors. The incident saw Netwalker ransomware installed on computer systems that were part of the area’s public network. As an important economic hub with several large companies housing production plants there, the attack perhaps had a more ambitious motive, such as stealing sensitive information belonging to those companies.


Arrest and Dark Web Site Seizure

In January 2021, Canadian police arrested a Netwalker affiliate named Sebastien Vachon-Desjardins and seized almost $500,000 in cryptocurrency payments made to him. In what was a collaborative effort from international law enforcement involving the FBI and Bulgarian authorities, Netwalker’s Tor website was also seized.

A U.S. Department of Justice statement highlighted how law enforcement is, “striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims.”

It’s unclear whether Netwalker will return under another moniker, but there has been no evidence of the gang’s operations resuming yet. The law enforcement effort only managed to arrest an affiliate of the gang, which suggests the remaining members are still out there. Perhaps they’re content with the money they managed to make from previous incidents.


Covid-Related Phishing Threats

Netwalker operators adjusted their phishing campaigns to account for the Covid pandemic. The gang members clearly believed that exploiting the uncertainty created by Covid would increase the chances of luring victims into opening malicious email attachments.

These attachments appeared to contain information about the latest Covid updates coming from legitimate sources. The reality was that they contained malicious attachments that initiated the spread of ransomware attacks by executing malicious payloads and scripts. The estimated $25 million in ransom payments collected at the height of the pandemic by Netwalker backs up the effectiveness of this tactic.

These Covid-related phishing threats demonstrate the extent to which ransomware gangs will adjust their tactics for maximum devastation. Even as the crisis winds down, it’s always worth remembering that threat actors constantly lurk and seek to exploit moments of crisis and uncertainty. As many companies shift to a full-time hybrid work model, phishing emails exploiting work-from-home setups will undoubtedly remain a constant threat.

Businesses need an advanced email security solution if they are to stand a chance of mitigating phishing threats. While it’s possible to train employees to recognize phishing emails, it’s only human that people get conned when they are living through unprecedented times. An advanced email security solution fights phishing from the frontline using self-learning, AI-driven technology.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at

Published by Ian Thomas January 18, 2022

Join thousands of your peers! Subscribe to our blog.

Ironscales needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.